mirror of
https://github.com/reactos/reactos.git
synced 2024-12-28 10:04:49 +00:00
revert my last changes back to Alex's version of ObpCaptureObjectAttributes as I'm being an incompetent ass. This will introduce several vulnerabilities and bugs again.
svn path=/trunk/; revision=17217
This commit is contained in:
parent
4280eeb5a3
commit
3ed0977d46
7 changed files with 152 additions and 326 deletions
|
@ -192,19 +192,20 @@ NtCreateKey(OUT PHANDLE KeyHandle,
|
|||
PWSTR Start;
|
||||
UNICODE_STRING ObjectName;
|
||||
OBJECT_CREATE_INFORMATION ObjectCreateInfo;
|
||||
KPROCESSOR_MODE PreviousMode;
|
||||
unsigned i;
|
||||
|
||||
PAGED_CODE();
|
||||
|
||||
PreviousMode = KeGetPreviousMode();
|
||||
DPRINT("NtCreateKey (Name %wZ KeyHandle 0x%p Root 0x%p)\n",
|
||||
ObjectAttributes->ObjectName,
|
||||
KeyHandle,
|
||||
ObjectAttributes->RootDirectory);
|
||||
|
||||
/* Capture all the info */
|
||||
DPRINT("Capturing Create Info\n");
|
||||
Status = ObpCaptureObjectAttributes(ObjectAttributes,
|
||||
PreviousMode,
|
||||
PagedPool,
|
||||
FALSE,
|
||||
KeGetPreviousMode(),
|
||||
CmiKeyType,
|
||||
&ObjectCreateInfo,
|
||||
&ObjectName);
|
||||
if (!NT_SUCCESS(Status))
|
||||
|
@ -218,10 +219,8 @@ NtCreateKey(OUT PHANDLE KeyHandle,
|
|||
(PVOID*)&Object,
|
||||
&RemainingPath,
|
||||
CmiKeyType);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
|
||||
&ObjectName,
|
||||
PreviousMode,
|
||||
FALSE);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
|
||||
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
DPRINT("CmpFindObject failed, Status: 0x%x\n", Status);
|
||||
|
@ -1170,8 +1169,7 @@ NtOpenKey(OUT PHANDLE KeyHandle,
|
|||
DPRINT("Capturing Create Info\n");
|
||||
Status = ObpCaptureObjectAttributes(ObjectAttributes,
|
||||
PreviousMode,
|
||||
PagedPool,
|
||||
FALSE,
|
||||
CmiKeyType,
|
||||
&ObjectCreateInfo,
|
||||
&ObjectName);
|
||||
if (!NT_SUCCESS(Status))
|
||||
|
@ -1187,10 +1185,8 @@ NtOpenKey(OUT PHANDLE KeyHandle,
|
|||
(PVOID*)&Object,
|
||||
&RemainingPath,
|
||||
CmiKeyType);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
|
||||
&ObjectName,
|
||||
PreviousMode,
|
||||
FALSE);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
|
||||
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
DPRINT("CmpFindObject() returned 0x%08lx\n", Status);
|
||||
|
|
|
@ -705,8 +705,7 @@ CmiConnectHive(IN POBJECT_ATTRIBUTES KeyObjectAttributes,
|
|||
DPRINT("Capturing Create Info\n");
|
||||
Status = ObpCaptureObjectAttributes(KeyObjectAttributes,
|
||||
KernelMode,
|
||||
PagedPool,
|
||||
FALSE,
|
||||
CmiKeyType,
|
||||
&ObjectCreateInfo,
|
||||
&ObjectName);
|
||||
if (!NT_SUCCESS(Status))
|
||||
|
@ -720,10 +719,8 @@ CmiConnectHive(IN POBJECT_ATTRIBUTES KeyObjectAttributes,
|
|||
(PVOID*)&ParentKey,
|
||||
&RemainingPath,
|
||||
CmiKeyType);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
|
||||
&ObjectName,
|
||||
KernelMode,
|
||||
FALSE);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
|
||||
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
return Status;
|
||||
|
|
|
@ -173,6 +173,14 @@ ObFastDereferenceObject(IN PEX_FAST_REF FastRef,
|
|||
|
||||
/* Secure object information functions */
|
||||
|
||||
typedef struct _CAPTURED_OBJECT_ATTRIBUTES
|
||||
{
|
||||
HANDLE RootDirectory;
|
||||
ULONG Attributes;
|
||||
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
||||
PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
|
||||
} CAPTURED_OBJECT_ATTRIBUTES, *PCAPTURED_OBJECT_ATTRIBUTES;
|
||||
|
||||
NTSTATUS
|
||||
STDCALL
|
||||
ObpCaptureObjectName(IN PUNICODE_STRING CapturedName,
|
||||
|
@ -181,19 +189,16 @@ ObpCaptureObjectName(IN PUNICODE_STRING CapturedName,
|
|||
|
||||
NTSTATUS
|
||||
STDCALL
|
||||
ObpCaptureObjectAttributes(IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
||||
ObpCaptureObjectAttributes(IN POBJECT_ATTRIBUTES ObjectAttributes,
|
||||
IN KPROCESSOR_MODE AccessMode,
|
||||
IN POOL_TYPE PoolType,
|
||||
IN BOOLEAN CaptureIfKernel,
|
||||
OUT POBJECT_CREATE_INFORMATION CapturedObjectAttributes OPTIONAL,
|
||||
OUT PUNICODE_STRING ObjectName OPTIONAL);
|
||||
IN POBJECT_TYPE ObjectType,
|
||||
IN POBJECT_CREATE_INFORMATION ObjectCreateInfo,
|
||||
OUT PUNICODE_STRING ObjectName);
|
||||
|
||||
VOID
|
||||
STDCALL
|
||||
ObpReleaseCapturedAttributes(IN POBJECT_CREATE_INFORMATION CapturedObjectAttributes OPTIONAL,
|
||||
IN PUNICODE_STRING ObjectName OPTIONAL,
|
||||
IN KPROCESSOR_MODE AccessMode,
|
||||
IN BOOLEAN CaptureIfKernel);
|
||||
ObpReleaseCapturedAttributes(IN POBJECT_CREATE_INFORMATION ObjectCreateInfo);
|
||||
|
||||
/* object information classes */
|
||||
|
||||
#define ICIF_QUERY 0x1
|
||||
|
|
|
@ -410,7 +410,7 @@ NtConnectPort (PHANDLE UnsafeConnectedPortHandle,
|
|||
NULL,
|
||||
PORT_ALL_ACCESS, /* DesiredAccess */
|
||||
LpcPortObjectType,
|
||||
PreviousMode,
|
||||
UserMode,
|
||||
NULL,
|
||||
(PVOID*)&NamedPort);
|
||||
if (!NT_SUCCESS(Status))
|
||||
|
@ -430,7 +430,7 @@ NtConnectPort (PHANDLE UnsafeConnectedPortHandle,
|
|||
Status = ObReferenceObjectByHandle(WriteMap.SectionHandle,
|
||||
SECTION_MAP_READ | SECTION_MAP_WRITE,
|
||||
MmSectionObjectType,
|
||||
PreviousMode,
|
||||
UserMode,
|
||||
(PVOID*)&SectionObject,
|
||||
NULL);
|
||||
if (!NT_SUCCESS(Status))
|
||||
|
|
|
@ -955,7 +955,7 @@ ObInsertObject(IN PVOID Object,
|
|||
/* First try to find the Object */
|
||||
if (ObjectNameInfo && ObjectNameInfo->Name.Buffer)
|
||||
{
|
||||
DPRINT("Object has a name. Trying to find it: \"%wZ\".\n", &ObjectNameInfo->Name);
|
||||
DPRINT("Object has a name. Trying to find it: %wZ.\n", &ObjectNameInfo->Name);
|
||||
Status = ObFindObject(ObjectCreateInfo,
|
||||
&ObjectNameInfo->Name,
|
||||
&FoundObject,
|
||||
|
@ -1132,10 +1132,7 @@ ObInsertObject(IN PVOID Object,
|
|||
|
||||
/* We can delete the Create Info now */
|
||||
Header->ObjectCreateInfo = NULL;
|
||||
ObpReleaseCapturedAttributes(ObjectCreateInfo,
|
||||
NULL,
|
||||
ObjectCreateInfo->ProbeMode,
|
||||
FALSE);
|
||||
ObpReleaseCapturedAttributes(ObjectCreateInfo);
|
||||
ExFreePool(ObjectCreateInfo);
|
||||
|
||||
DPRINT("Status %x\n", Status);
|
||||
|
|
|
@ -71,34 +71,19 @@ ObReferenceObjectByName(PUNICODE_STRING ObjectPath,
|
|||
|
||||
PAGED_CODE();
|
||||
|
||||
/* capture the ObjectPath */
|
||||
Status = RtlCaptureUnicodeString(&ObjectName,
|
||||
AccessMode,
|
||||
NonPagedPool, /* FIXME */
|
||||
FALSE,
|
||||
ObjectPath);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
DPRINT("RtlCaptureUnicodeString() failed (Status %lx)\n", Status);
|
||||
return Status;
|
||||
}
|
||||
|
||||
InitializeObjectAttributes(&ObjectAttributes,
|
||||
&ObjectName,
|
||||
ObjectPath,
|
||||
Attributes | OBJ_OPENIF,
|
||||
NULL,
|
||||
NULL);
|
||||
|
||||
/* "Capture" all the info, it doesn't make sense to capture from the kernel
|
||||
stack as the information should be safe anyway...just do a raw copy of the
|
||||
data into the OBJECT_CREATE_INFORMATION structure */
|
||||
/* Capture all the info */
|
||||
DPRINT("Capturing Create Info\n");
|
||||
Status = ObpCaptureObjectAttributes(&ObjectAttributes,
|
||||
KernelMode, /* raw copy! */
|
||||
NonPagedPool,
|
||||
FALSE,
|
||||
AccessMode,
|
||||
ObjectType,
|
||||
&ObjectCreateInfo,
|
||||
NULL);
|
||||
&ObjectName);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
DPRINT("ObpCaptureObjectAttributes() failed (Status %lx)\n", Status);
|
||||
|
@ -111,18 +96,8 @@ ObReferenceObjectByName(PUNICODE_STRING ObjectPath,
|
|||
&RemainingPath,
|
||||
ObjectType);
|
||||
|
||||
/* we don't need to release the "captured" object attributes! Nothing was allocated! */
|
||||
#if 0
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
|
||||
NULL,
|
||||
AccessMode,
|
||||
FALSE);
|
||||
#endif
|
||||
|
||||
/* free the captured ObjectPath if needed */
|
||||
RtlReleaseCapturedUnicodeString(&ObjectName,
|
||||
AccessMode,
|
||||
FALSE);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
|
||||
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
|
||||
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
|
@ -194,8 +169,7 @@ ObOpenObjectByName(IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
DPRINT("Capturing Create Info\n");
|
||||
Status = ObpCaptureObjectAttributes(ObjectAttributes,
|
||||
AccessMode,
|
||||
PagedPool,
|
||||
FALSE,
|
||||
ObjectType,
|
||||
&ObjectCreateInfo,
|
||||
&ObjectName);
|
||||
if (!NT_SUCCESS(Status))
|
||||
|
@ -209,10 +183,8 @@ ObOpenObjectByName(IN POBJECT_ATTRIBUTES ObjectAttributes,
|
|||
&Object,
|
||||
&RemainingPath,
|
||||
ObjectType);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo,
|
||||
&ObjectName,
|
||||
AccessMode,
|
||||
FALSE);
|
||||
ObpReleaseCapturedAttributes(&ObjectCreateInfo);
|
||||
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
DPRINT("ObFindObject() failed (Status %lx)\n", Status);
|
||||
|
|
|
@ -110,296 +110,161 @@ ObpCaptureObjectName(IN OUT PUNICODE_STRING CapturedName,
|
|||
|
||||
NTSTATUS
|
||||
STDCALL
|
||||
ObpCaptureObjectAttributes(IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
||||
ObpCaptureObjectAttributes(IN POBJECT_ATTRIBUTES ObjectAttributes,
|
||||
IN KPROCESSOR_MODE AccessMode,
|
||||
IN POOL_TYPE PoolType,
|
||||
IN BOOLEAN CaptureIfKernel,
|
||||
OUT POBJECT_CREATE_INFORMATION CapturedObjectAttributes OPTIONAL,
|
||||
OUT PUNICODE_STRING ObjectName OPTIONAL)
|
||||
IN POBJECT_TYPE ObjectType,
|
||||
IN POBJECT_CREATE_INFORMATION ObjectCreateInfo,
|
||||
OUT PUNICODE_STRING ObjectName)
|
||||
{
|
||||
OBJECT_ATTRIBUTES AttributesCopy;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
||||
PSECURITY_QUALITY_OF_SERVICE SecurityQos;
|
||||
PUNICODE_STRING LocalObjectName = NULL;
|
||||
|
||||
/* at least one output parameter must be != NULL! */
|
||||
ASSERT(CapturedObjectAttributes != NULL || ObjectName != NULL);
|
||||
/* Zero out the Capture Data */
|
||||
DPRINT("ObpCaptureObjectAttributes\n");
|
||||
RtlZeroMemory(ObjectCreateInfo, sizeof(OBJECT_CREATE_INFORMATION));
|
||||
|
||||
if (ObjectAttributes == NULL)
|
||||
/* Check if we got Oba */
|
||||
if (ObjectAttributes)
|
||||
{
|
||||
/* we're going to return STATUS_SUCCESS! */
|
||||
goto failbasiccleanup;
|
||||
}
|
||||
|
||||
if (AccessMode != KernelMode)
|
||||
{
|
||||
DPRINT("Probing OBA\n");
|
||||
_SEH_TRY
|
||||
{
|
||||
/* FIXME: SMSS SENDS BULLSHIT. */
|
||||
#if 0
|
||||
ProbeForRead(ObjectAttributes,
|
||||
sizeof(ObjectAttributes),
|
||||
sizeof(ULONG));
|
||||
/* make a copy on the stack */
|
||||
AttributesCopy = *ObjectAttributes;
|
||||
#endif
|
||||
}
|
||||
_SEH_HANDLE
|
||||
{
|
||||
Status = _SEH_GetExceptionCode();
|
||||
}
|
||||
_SEH_END;
|
||||
}
|
||||
|
||||
/* Validate the Size */
|
||||
DPRINT("Validating OBA\n");
|
||||
if (ObjectAttributes->Length != sizeof(OBJECT_ATTRIBUTES))
|
||||
{
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
/* Fail if SEH or Size Validation failed */
|
||||
if(!NT_SUCCESS(Status))
|
||||
{
|
||||
DPRINT1("ObpCaptureObjectAttributes failed to probe object attributes 0x%p\n", ObjectAttributes);
|
||||
goto failbasiccleanup;
|
||||
}
|
||||
}
|
||||
else if (!CaptureIfKernel)
|
||||
{
|
||||
if (ObjectAttributes->Length == sizeof(OBJECT_ATTRIBUTES))
|
||||
{
|
||||
if (ObjectName != NULL)
|
||||
{
|
||||
/* we don't have to capture any memory, the caller considers the passed data
|
||||
as valid */
|
||||
if (ObjectAttributes->ObjectName != NULL)
|
||||
{
|
||||
*ObjectName = *ObjectAttributes->ObjectName;
|
||||
}
|
||||
else
|
||||
{
|
||||
ObjectName->Length = ObjectName->MaximumLength = 0;
|
||||
ObjectName->Buffer = NULL;
|
||||
}
|
||||
}
|
||||
if (CapturedObjectAttributes != NULL)
|
||||
{
|
||||
CapturedObjectAttributes->RootDirectory = ObjectAttributes->RootDirectory;
|
||||
CapturedObjectAttributes->Attributes = ObjectAttributes->Attributes;
|
||||
CapturedObjectAttributes->SecurityDescriptor = ObjectAttributes->SecurityDescriptor;
|
||||
CapturedObjectAttributes->SecurityDescriptorCharge = 0; /* FIXME */
|
||||
CapturedObjectAttributes->ProbeMode = AccessMode;
|
||||
DPRINT1("ObpCaptureObjectAttributes failed to probe object attributes\n");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
else
|
||||
{
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
goto failbasiccleanup;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
AttributesCopy = *ObjectAttributes;
|
||||
}
|
||||
/* Set some Create Info */
|
||||
DPRINT("Creating OBCI\n");
|
||||
ObjectCreateInfo->RootDirectory = ObjectAttributes->RootDirectory;
|
||||
ObjectCreateInfo->Attributes = ObjectAttributes->Attributes;
|
||||
LocalObjectName = ObjectAttributes->ObjectName;
|
||||
SecurityDescriptor = ObjectAttributes->SecurityDescriptor;
|
||||
SecurityQos = ObjectAttributes->SecurityQualityOfService;
|
||||
|
||||
/* if Length isn't as expected, bail with an invalid parameter status code so
|
||||
the caller knows he passed garbage... */
|
||||
if (AttributesCopy.Length != sizeof(OBJECT_ATTRIBUTES))
|
||||
/* Validate the SD */
|
||||
if (SecurityDescriptor)
|
||||
{
|
||||
Status = STATUS_INVALID_PARAMETER;
|
||||
goto failbasiccleanup;
|
||||
}
|
||||
|
||||
if (CapturedObjectAttributes != NULL)
|
||||
{
|
||||
CapturedObjectAttributes->RootDirectory = AttributesCopy.RootDirectory;
|
||||
CapturedObjectAttributes->Attributes = AttributesCopy.Attributes;
|
||||
|
||||
if (AttributesCopy.SecurityDescriptor != NULL)
|
||||
{
|
||||
Status = SeCaptureSecurityDescriptor(AttributesCopy.SecurityDescriptor,
|
||||
DPRINT("Probing SD: %x\n", SecurityDescriptor);
|
||||
Status = SeCaptureSecurityDescriptor(SecurityDescriptor,
|
||||
AccessMode,
|
||||
PoolType,
|
||||
NonPagedPool,
|
||||
TRUE,
|
||||
&CapturedObjectAttributes->SecurityDescriptor);
|
||||
&ObjectCreateInfo->SecurityDescriptor);
|
||||
if(!NT_SUCCESS(Status))
|
||||
{
|
||||
DPRINT1("Unable to capture the security descriptor!!!\n");
|
||||
goto failbasiccleanup;
|
||||
}
|
||||
CapturedObjectAttributes->SecurityDescriptorCharge = 0; /* FIXME */
|
||||
}
|
||||
else
|
||||
{
|
||||
CapturedObjectAttributes->SecurityDescriptor = NULL;
|
||||
CapturedObjectAttributes->SecurityDescriptorCharge = 0;
|
||||
}
|
||||
ObjectCreateInfo->SecurityDescriptor = NULL;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (ObjectName != NULL)
|
||||
{
|
||||
ObjectName->Buffer = NULL;
|
||||
DPRINT("Probe done\n");
|
||||
ObjectCreateInfo->SecurityDescriptorCharge = 0; /* FIXME */
|
||||
ObjectCreateInfo->ProbeMode = AccessMode;
|
||||
}
|
||||
|
||||
if (AttributesCopy.ObjectName != NULL)
|
||||
/* Validate the QoS */
|
||||
if (SecurityQos)
|
||||
{
|
||||
UNICODE_STRING OriginalCopy = {0};
|
||||
|
||||
if (AccessMode != KernelMode)
|
||||
{
|
||||
DPRINT("Probing QoS\n");
|
||||
_SEH_TRY
|
||||
{
|
||||
/* probe the ObjectName structure and make a local stack copy of it */
|
||||
ProbeForRead(AttributesCopy.ObjectName,
|
||||
sizeof(UNICODE_STRING),
|
||||
ProbeForRead(SecurityQos,
|
||||
sizeof(SECURITY_QUALITY_OF_SERVICE),
|
||||
sizeof(ULONG));
|
||||
OriginalCopy = *AttributesCopy.ObjectName;
|
||||
if (OriginalCopy.Length > 0)
|
||||
{
|
||||
ProbeForRead(OriginalCopy.Buffer,
|
||||
OriginalCopy.Length,
|
||||
sizeof(WCHAR));
|
||||
}
|
||||
}
|
||||
_SEH_HANDLE
|
||||
{
|
||||
Status = _SEH_GetExceptionCode();
|
||||
}
|
||||
_SEH_END;
|
||||
|
||||
if (NT_SUCCESS(Status))
|
||||
{
|
||||
ObjectName->Length = OriginalCopy.Length;
|
||||
|
||||
if(OriginalCopy.Length > 0)
|
||||
{
|
||||
ObjectName->MaximumLength = OriginalCopy.Length + sizeof(WCHAR);
|
||||
ObjectName->Buffer = ExAllocatePool(PoolType,
|
||||
ObjectName->MaximumLength);
|
||||
if (ObjectName->Buffer != NULL)
|
||||
{
|
||||
_SEH_TRY
|
||||
{
|
||||
/* no need to probe OriginalCopy.Buffer again, we already did that
|
||||
when capturing the UNICODE_STRING structure itself */
|
||||
RtlCopyMemory(ObjectName->Buffer, OriginalCopy.Buffer, OriginalCopy.Length);
|
||||
ObjectName->Buffer[OriginalCopy.Length / sizeof(WCHAR)] = L'\0';
|
||||
}
|
||||
_SEH_HANDLE
|
||||
{
|
||||
Status = _SEH_GetExceptionCode();
|
||||
}
|
||||
_SEH_END;
|
||||
|
||||
if(!NT_SUCCESS(Status))
|
||||
{
|
||||
DPRINT1("ObpCaptureObjectAttributes failed to copy the unicode string!\n");
|
||||
DPRINT1("Unable to capture QoS!!!\n");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
ObjectCreateInfo->SecurityQualityOfService = *SecurityQos;
|
||||
ObjectCreateInfo->SecurityQos = &ObjectCreateInfo->SecurityQualityOfService;
|
||||
}
|
||||
}
|
||||
|
||||
/* Clear Local Object Name */
|
||||
DPRINT("Clearing name\n");
|
||||
RtlZeroMemory(ObjectName, sizeof(UNICODE_STRING));
|
||||
|
||||
/* Now check if the Object Attributes had an Object Name */
|
||||
if (LocalObjectName)
|
||||
{
|
||||
DPRINT("Name Buffer: %x\n", LocalObjectName->Buffer);
|
||||
Status = ObpCaptureObjectName(ObjectName,
|
||||
LocalObjectName,
|
||||
AccessMode);
|
||||
}
|
||||
else
|
||||
{
|
||||
Status = STATUS_INSUFFICIENT_RESOURCES;
|
||||
}
|
||||
}
|
||||
else if(AttributesCopy.RootDirectory != NULL /* && OriginalCopy.Length == 0 */)
|
||||
/* He can't have specified a Root Directory */
|
||||
if (ObjectCreateInfo->RootDirectory)
|
||||
{
|
||||
/* if the caller specified a root directory, there must be an object name! */
|
||||
DPRINT1("Invalid name\n");
|
||||
Status = STATUS_OBJECT_NAME_INVALID;
|
||||
}
|
||||
else
|
||||
{
|
||||
ObjectName->Length = ObjectName->MaximumLength = 0;
|
||||
}
|
||||
}
|
||||
#ifdef DBG
|
||||
else
|
||||
{
|
||||
DPRINT1("ObpCaptureObjectAttributes failed to probe the object name UNICODE_STRING structure!\n");
|
||||
}
|
||||
#endif
|
||||
}
|
||||
else /* AccessMode == KernelMode */
|
||||
{
|
||||
OriginalCopy = *AttributesCopy.ObjectName;
|
||||
ObjectName->Length = OriginalCopy.Length;
|
||||
|
||||
if (OriginalCopy.Length > 0)
|
||||
{
|
||||
ObjectName->MaximumLength = OriginalCopy.Length + sizeof(WCHAR);
|
||||
ObjectName->Buffer = ExAllocatePool(PoolType,
|
||||
ObjectName->MaximumLength);
|
||||
if (ObjectName->Buffer != NULL)
|
||||
{
|
||||
RtlCopyMemory(ObjectName->Buffer, OriginalCopy.Buffer, OriginalCopy.Length);
|
||||
ObjectName->Buffer[OriginalCopy.Length / sizeof(WCHAR)] = L'\0';
|
||||
}
|
||||
else
|
||||
{
|
||||
Status = STATUS_INSUFFICIENT_RESOURCES;
|
||||
}
|
||||
}
|
||||
else if (AttributesCopy.RootDirectory != NULL /* && OriginalCopy.Length == 0 */)
|
||||
{
|
||||
/* if the caller specified a root directory, there must be an object name! */
|
||||
Status = STATUS_OBJECT_NAME_INVALID;
|
||||
}
|
||||
else
|
||||
{
|
||||
ObjectName->Length = ObjectName->MaximumLength = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
ObjectName->Length = ObjectName->MaximumLength = 0;
|
||||
}
|
||||
}
|
||||
|
||||
CapturedObjectAttributes->ProbeMode = AccessMode;
|
||||
|
||||
fail:
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
if (ObjectName != NULL && ObjectName->Buffer)
|
||||
{
|
||||
ExFreePool(ObjectName->Buffer);
|
||||
}
|
||||
if (CapturedObjectAttributes != NULL)
|
||||
{
|
||||
/* cleanup allocated resources */
|
||||
SeReleaseSecurityDescriptor(CapturedObjectAttributes->SecurityDescriptor,
|
||||
AccessMode,
|
||||
TRUE);
|
||||
}
|
||||
|
||||
failbasiccleanup:
|
||||
if (ObjectName != NULL)
|
||||
{
|
||||
ObjectName->Length = ObjectName->MaximumLength = 0;
|
||||
ObjectName->Buffer = NULL;
|
||||
}
|
||||
if (CapturedObjectAttributes != NULL)
|
||||
{
|
||||
RtlZeroMemory(CapturedObjectAttributes, sizeof(OBJECT_CREATE_INFORMATION));
|
||||
}
|
||||
DPRINT1("Failed to capture, cleaning up\n");
|
||||
ObpReleaseCapturedAttributes(ObjectCreateInfo);
|
||||
}
|
||||
|
||||
DPRINT("Return to caller\n");
|
||||
return Status;
|
||||
}
|
||||
|
||||
|
||||
VOID
|
||||
STDCALL
|
||||
ObpReleaseCapturedAttributes(IN POBJECT_CREATE_INFORMATION CapturedObjectAttributes OPTIONAL,
|
||||
IN PUNICODE_STRING ObjectName OPTIONAL,
|
||||
IN KPROCESSOR_MODE AccessMode,
|
||||
IN BOOLEAN CaptureIfKernel)
|
||||
ObpReleaseCapturedAttributes(IN POBJECT_CREATE_INFORMATION ObjectCreateInfo)
|
||||
{
|
||||
/* WARNING - You need to pass the same parameters to this function as you passed
|
||||
to ObpCaptureObjectAttributes() to avoid memory leaks */
|
||||
if(AccessMode != KernelMode || CaptureIfKernel)
|
||||
/* Release the SD, it's the only thing we allocated */
|
||||
if (ObjectCreateInfo->SecurityDescriptor)
|
||||
{
|
||||
if(CapturedObjectAttributes != NULL &&
|
||||
CapturedObjectAttributes->SecurityDescriptor != NULL)
|
||||
{
|
||||
ExFreePool(CapturedObjectAttributes->SecurityDescriptor);
|
||||
|
||||
#ifdef DBG
|
||||
RtlZeroMemory(CapturedObjectAttributes, sizeof(OBJECT_CREATE_INFORMATION));
|
||||
#endif
|
||||
}
|
||||
if(ObjectName != NULL &&
|
||||
ObjectName->Length > 0)
|
||||
{
|
||||
ExFreePool(ObjectName->Buffer);
|
||||
}
|
||||
SeReleaseSecurityDescriptor(ObjectCreateInfo->SecurityDescriptor,
|
||||
ObjectCreateInfo->ProbeMode,
|
||||
TRUE);
|
||||
ObjectCreateInfo->SecurityDescriptor = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -483,7 +348,7 @@ ObFindObject(POBJECT_CREATE_INFORMATION ObjectCreateInfo,
|
|||
ObjectName->Buffer[0] != L'\\')
|
||||
{
|
||||
ObDereferenceObject (CurrentObject);
|
||||
DPRINT1("failed: \"%wZ\"\n", ObjectName);
|
||||
DPRINT1("failed\n");
|
||||
return STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
|
@ -930,9 +795,8 @@ ObCreateObject(IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
|
|||
/* Capture all the info */
|
||||
DPRINT("Capturing Create Info\n");
|
||||
Status = ObpCaptureObjectAttributes(ObjectAttributes,
|
||||
ObjectAttributesAccessMode,
|
||||
NonPagedPool,
|
||||
TRUE,
|
||||
AccessMode,
|
||||
Type,
|
||||
ObjectCreateInfo,
|
||||
&ObjectName);
|
||||
|
||||
|
@ -958,10 +822,8 @@ ObCreateObject(IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
|
|||
|
||||
/* Release the Capture Info, we don't need it */
|
||||
DPRINT1("Allocation failed\n");
|
||||
ObpReleaseCapturedAttributes(ObjectCreateInfo,
|
||||
&ObjectName,
|
||||
ObjectAttributesAccessMode,
|
||||
TRUE);
|
||||
ObpReleaseCapturedAttributes(ObjectCreateInfo);
|
||||
if (ObjectName.Buffer) ExFreePool(ObjectName.Buffer);
|
||||
}
|
||||
|
||||
/* We failed, so release the Buffer */
|
||||
|
@ -1115,10 +977,7 @@ ObpDeleteObject(POBJECT_HEADER Header)
|
|||
}
|
||||
if (Header->ObjectCreateInfo)
|
||||
{
|
||||
ObpReleaseCapturedAttributes(Header->ObjectCreateInfo,
|
||||
NULL,
|
||||
Header->ObjectCreateInfo->ProbeMode,
|
||||
FALSE);
|
||||
ObpReleaseCapturedAttributes(Header->ObjectCreateInfo);
|
||||
ExFreePool(Header->ObjectCreateInfo);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue